Lenovo In Denial: Insists There's No Security Problem With Superfish -- Which Is Very, Very Wrong.

from the so-long-and-thanks-for-all-the-superfish dept

Late last night, people started buzzing on Twitter about the fact that Lenovo, makers of the famous Thinkpad laptops, had been installing a really nasty form of adware on those machines called Superfish. Many news stories started popping up about this, again, focusing on the adware. But putting adware on a computer, while ethically questionable and a general pain in the ass, is not the real problem here. The problem is that the adware in question, Superfish, has an astoundingly stupid way of working that effectively allows for a very easy man in the middle attack on any computer with the software installed, making it a massive security hole that is insanely dangerous.

Lenovo's response? Basically to shrug its shoulders and say it doesn't understand why anyone's that upset. This is because whoever wrote Lenovo's statement on this is completely clueless about computer security.

We have thoroughly investigated this technology and do not find any evidence to substantiate security concerns.

Bullshit. That's really the only response that should be said to that line. Lenovo focuses on the reasons why many people normally hate adware: that it tracks what you're doing and sends info back to third parties. That's not what Superfish does, so Lenovo doesn't see what the big deal is. Superfish, which was just recently ranked 64th by Forbes in its list of "Most Promising American Companies," tries to watch what you're surfing, and when you see certain images, the service injects other offerings for similar (or the same) products. In theory, if one chose to use such a product, you could see why it could be useful. But automatically putting it on computers is a different thing all together.

The real problem is in how Superfish deals with HTTPS protected sites. Since, in theory, it shouldn't be able to see the images on those sites, it appears that Superfish came up with what it must have believed was a clever workaround: it just installs a root HTTPS certificate, that it signs itself, to pretend that any HTTPS page you're visiting is perfectly legitimate. For many years, we've pointed out why the HTTPS system with certificate authorities is open to a giant man in the middle attack via any certificate authority willing to grant a fake certificate -- and here we basically have Lenovo enabling this questionable company to go hogwild with this exact kind of MITM attack. Basically, EVERY SINGLE HTTPS SITE that you visit was a victim of this kind of MITM attack -- solely for the purpose of interjecting Superfish ads. In fact, some have suggested it could apply to VPNs as well. Basically this is a massively dangerous security hole with wide ranging implications. And Lenovo says they don't see why.

And, even beyond that, it's implemented incredibly stupidly -- in a way that is ridiculously dangerous. That's because it appears that the private key use for the Superfish certificate is the same on basically every install of this software. And it didn't take very long at all for security folks, such as Robert Graham, to crack the password, meaning that it's now incredibly easy to get access to information someone thinks is encrypted. As Graham notes, the password is "komodia" which just so happens to alsobe the name of a company that "redirects" HTTPS traffic (for spying on kids and such).

This is a massive and ridiculous security threat, and Lenovo is completely brushing it off as nothing big. As many have noted, people have been complaining about the adware components of the software for months now, and Lenovo announced that it was stopping installs, because some people didn't like the way the software created popups and such -- but with no mention of the massive security problems. And, even now, the company doesn't seem willing to admit to them.

Furthermore, the company doesn't even seem willing to say what machines it installed them on, or provide people with instructions on how to protect themselves (simply uninstalling Superfish won't do it). This is a huge mess. I've personally been a very loyal Lenovo Thinkpad customer for years, having bought many, many laptops. In fact, just a couple months ago -- right in the middle of the period of when Superfish was being preloaded -- I bought a new Thinkpad laptop, though it appears that mine is not one that includes Superfish. Still, Lenovo created a huge and dangerous mess, and they don't seem to recognize it at all. This kind of fuck up is much worse than the whole Sony rootkit thing from a decade or so ago, and as with Sony then, Lenovo doesn't seem to have the slightest clue of just how badly it has put people at risk.

It doesn't take much to kill off tremendous goodwill and trust, and Lenovo may have just done so with it's pitiful reaction here. It's one thing for Lenovo to have made the stupid decision to install this kind of adware/bloatware. It's a second thing to not realize the security implications of it. However, it's another thing entirely, once it's been pointed out to Lenovo to then deny that this is a security risk. Lenovo screwed up big time here, and mostly in the way it's responded to the mess it created.

Reader Comments

It did for me

It doesn't take much to kill off tremendous goodwill and trust, and Lenovo may have just done so with it's pitiful reaction here.

Including Superfish and the bogus certificate was a terrible thing to do in the first place, but what convinced me to never buy another Lenovo machine in the future was this exact response by them. It indicates either an insane level of incompetence or a deliberate effort to deceive everyone. Either way, that's enough to put them on my "never do business with" list.

Never Lenovo or Thinkpad

Honestly, I've never been a fan of Lenovo or Thinkpad and this just reconfirms my decisions in the first place. This is absolutely ridiculous for any company to not realize exactly what they are doing to a customers computer. They are either ignorant, incompetent or just liars. Either way, stay away.

So when the government warns us that Chinese hardware manufacturers are selling stuff that will make us vulnerable to being spied on, we shouldn't listen. But when Ars Technica and Robert Graham pass along such a warning, then it's finally time to listen? ;)

Re:

Re:

Did the government specifically warn us about this vulnerability? No. How about the 14 year pwn of HDDs? No. Recent and ongoing revelations teach us that the government is far more interested in hacking our systems than it is in warning us. The government is the last place I expect honest, realtime information to come from.

Re: Re: Re:

Re:

One word: credibility

When the gov says it then you never know if they just try to blame someone else for something they implanted in the first place. If tech sides post something then well... they aren't spying themselves so it is possibly true and I believe them.

btw. Techsite owners: if the NSA visits you the next days and tries to make you post stuff because people believe you more than them... you're welcome!

Re:

If I am not mistaken the government warning was general for all chinese products without providing evidence (except indicating routers). Those kinds of non-specific warnings are overbroad and bordering on nationalistic state propaganda since it will hurt innocent companies from the country!

The more specific warning seems to be relatively well investigated and documented from fall 2014 to now.

The problem for Lenovo is their insistance that the program people have documented as a potential backdoor, should not be seen as any "security concern". For people who know a bit about computers that is scary ignorance or malicious intend since history has taught us that potential vulnerability has to be assumed a potential future exploit if you have any respect for your customers.

Re: Re: Re:

FWIW, it's not that they don't want to "sell" this stuff to business customers. It's that the scammy software distributors don't want to pay for it on the business lines, because so many business customers replace the stock image with their own.

Re: Re: Re:

"affected", not effected, and I hope you mean because you wiped the included image. Yes, this is a security problem, but running the included software is a security problem in and of itself (even the firmware, these days, but the difficulty of replacing it gives you an excuse not to do it; there's no good reason not to blow away the vendor OS image though).

Lenovo preloaded software

Not too concerned, having installed Linux/BSD on my Lenovo laptops. The hardware used to be good, but one had a keyboard die within the first year, and the other has flaky USB & camera issues. Sigh. Not doing Lenovo again for multiple reasons. Please don't make me go back to Dell.

Re: Why do people think this is a big deal.

You're the 1%. You might have avoided this yourself, but think of all the non-technical (or even technical-but-with-little-free-time) people around you. Your family. Your friends. The employees of businesses you frequent.

Even if you can smugly say you aren't directly affected, this is a concerning vulnerability.

(I mean, I'm a smug Linux user, all my machines run Linux, but a Windows-specific vulnerability like this one still concerns me.)

Re: Re: Why do people think this is a big deal.

This isn't a Windows-specific vulnerability.

While it would be a more difficult task, this could be done on Linux if you buy a pre-built computer with a distro already installed. It just needs to come with a repository URL pointing to the manufacturer and, for example, have openssl-superfish and gnutls-superfish patched libraries installed instead of the upstream libraries.

There is an inherit trust relationship when using a pre-imaged machine, and Lenovo has violated that trust.

Re: Why do people think this is a big deal.

Main problem, is most of these were christmas season laptops. When your mom buys her partner a laptop for christmas, when a parent buys their child a laptop for school, how many of those random customers will think "I need to image this laptop before I use it?"

How many of the thousands (millions?) of non-technical end users only see a new computer to do research/email/school/etc. and just care that it "just works?"

Those are the people who will be served websites that "require an update" and download a file "signed" by microsoft.

So what if YOU nuke and pave once a month and wipe every new machine. Does your mom do that? Your siblings? Even your coworkers who should know better?

Re: Re: Why do people think this is a big deal.

Because pre-built computers started coming with so much factory-installed crapware on them, the easiest way to avoid all that was to partition the drive and install a clean bootleg copy of Windows, which you basically paid for anyway (as the installed OEM copy which you won't be getting a refund on if you prefer to use Linux)

That's assuming that it's still easy to install and run non-authorized Windows OS's (though probably not as easy as the time when half the computers in the world were using the same "FCKGW-" XP key).

Isn't it time to cue the prosecutors?

I mean, if they're not too busy harassing journalists and activists and bullying hackers and researchers, maybe, just this once, they could find the time to go after a corporation that deliberately broke the security of tens of thousands of people (and quite possibly many more: that figure is based on the EFF's report about what their SSL observatory has seen).

This is a systematic, malicious, intentional large-scale attack, with serious adverse consequences for those affected...unlike, let's say, mass downloading of academic journal articles. So where are those who like to wield the CFAA like a club? When can we expect to see Lenovo executives being dragged out of their offices? How about the indictments, where are those? And can we expect aggressive prosecution with the threat of long prison sentences?

Some Credit

You have to give them some credit: they stopped adding this stuff in January, well before the story broke.

That said, there's still a lot of product out on store shelves that will take the better part of a year to clear out. Lenovo ought to recall this merchandise and re-image the machines. They could even resell them as refurbished (I for one would look forward to a glut of near-perfect refurbished laptops hitting the market).

There's also the issue of what to do for customers who already purchased these machines. There is, at this point, no evidence of active abuse for this vulnerability. A simple patch the merely removes the entry from the trusted certificates store would be adequate to protect consumers. However, that would leave many of them feeling that their machines are broken (their browser would show every https site they visit as fake), and so completely removing the service will be necessary. This is a harder patch, but just making the patch available and notifying customers would be adequate. At least, it's the bare minimum.

Unfortunately, Lenovo has not yet taken either of these steps. Instead, they published a response that demonstrates a complete lack of understanding of the issue.

Re: Some Credit

"There is, at this point, no evidence of active abuse for this vulnerability."

Which means nothing.

Think about it for a minute: what, exactly, would that evidence look like? And how would one make a definitive connection from it to Superfish?

That circumstance isn't an accident. It's called "plausible deniability" and it will enable Lenovo, during the inevitable class-action lawsuit, to claim that observed symptoms X and Y and Z were not caused or enabled by Superfish, but by some other security issue on the affected systems.

No credit

A simple patch the merely removes the entry from the trusted certificates store would be adequate to protect consumers. However, that would leave many of them feeling that their machines are broken (their browser would show every https site they visit as fake), and so completely removing the service will be necessary. This is a harder patch, but just making the patch available and notifying customers would be adequate.

I would classify such a patch as a necessary, but insufficient, step. As I understand it, there is currently no mechanism to ensure that users discover the existence of the flaw, that they understand the severity of the flaw, or that they understand the need to install the fix proposed here. The extensive news coverage will probably help the first problem. Lenovo's deceptive pseudo-disclosure will hurt with the second problem.

Although not exactly appropriate, a product recall notice occurs to me as one way to notify consumers. Not everyone is guaranteed to read that either, but at least users who worry about physical defects in their purchases will be periodically reading recall announcements. It will help that some vendors have shipped laptops that later were recalled as fire hazards, so monitoring recall notices on one's laptop has practical value.

Consumer line only?

We pretty much use lenovo products exclusively in my company, but since we load a custom image on them I don't know if any of ours originally shipped with this software. I do know though that their consumer models tends to come with lots of 'free software' that isn't included (or wanted) on their business models.

From the descriptions I've read, this sounds like the kind of product that I might expect to find installed on lenovo's consumer line products. Does anyone know if this was occurring in "Think" branded products, or only in "idea" branded products?

Tinfoil hat time

So... How long has the NSA known about this adware and been using it as cover for their own access to the machine? Have Lenovo deploy it widely enough to disguise any targetting metrics, use the superfish update mechanism as their C&C mode, and unless someone actually catches an example where they've tailored the superfish system, nobody is the wiser.

Add tailored access (QUANTUMINSERT) and even superfish need not know that their attackware has been compromised.

Re: Tinfoil hat time

Re: Re: Tinfoil hat time

Superfish founder & CEO, Adi Pinhas, has a long history in the field of surveillance technology. He is also pretty famous for the fact the every project he has been involved with has been malware and spyware. He's been a fairly reviled figure for over ten years.

So, while speculation about Superfish being an intel front isn't ridiculous, it's also not necessary. I don't think that the company would do anything differently at all if they are or are not, and the intel agencies would derive just as much of a benefit either way.

Mike, Mike, Mike....Why do you so hate capitalism? Lenovo was just trying to maximize profits, as any good capitalist should. Sure, they may have made a mistake, but their heart was in the right place.

My mother's laptop got infected with Superfish a while ago. I ended up having to wipe the laptop, and it had still infected her Microsoft profile's Internet Explorer settings, meaning it came back after she signed back into her fresh install, so I scrubbed that profile clean of it and reformatted again immediately, just to be sure.

I'm certainly never going to buy a Lenovo computer ever again now that I've seen this story. I've got a Lenovo Android device, which has been fine up until now but honestly I don't think I want it any more, given the power manufacturers have over what gets installed remotely onto "their" hardware...

Hang 'em High!

This kind of crap will continue and get even worse. The bad guys know that NO ONE is doing anything about it. All they have to do is say, "Sorry" and all is forgiven. Bullshit! We need to start seeing CEO's going to prison. This is a violation on an epic scale and the consequences should fit the crime. Not only should the CEO of Lenovo go to prison, but so should the people that made the software in the first place. If we start throwing these despicable people in prison others might start to think that this kind of tactic isn't all that great of an idea after all. But if we let it go, then every other prick in the world will be lining up to screw the public as well. As a citizen of this country, I demand that we see these bastards in prison! And you should too!

Re: Hang 'em High!

We are very sorry, but the re-think version of the US Constitution - made possible by the wonderful 9/11 Crisis (tm) - states plainly that nobody among the 1% can be held responsible for their crimes against the 99%, as this is simply business and thus perfectly legal.

If you want justice, you have to join the 1% of the US population, by whatever means - fair or foul - or suffer the consequences of the laws, according to the new Corporate Constitution of the United States of America.